如何在C ++中内联ASM中调用此汇编函数(DLL Injection) [英] How to call this assembly function in Inlined ASM in C++ (DLL Injection)
问题描述
seg000:004481D0; =============== SUBROUTINE ================================ =====
seg000:004481D0
seg000:004481D0;属性:基于bp的框架
seg000:004481D0
seg000:004481D0 sub_4481D0 proc near
seg000:004481D0
seg000:004481D0 arg_0 = dword ptr 8
seg000:004481D0 arg_4 = dword ptr 0Ch
seg000:004481D0
seg000:004481D0 push ebp
seg000:004581D1 mov ebp,esp
seg000:004481D3 push esi
seg000:004481D4 mov esi, ecx
seg000:004481D6 push edi
seg000:004481D7 mov edi,[ebp + arg_0]
seg000:004481DA mov eax,[esi]
seg000:004481DC push edi
seg000:004481DD call dword ptr [eax + 0D4h]
seg000:004481E3 mov edi,[esi + edi * 4 + 1BBD4h]
seg000:004481EA test edi,edi
seg000:004481EC jz loc_4482D2
seg000:004481F2 mov eax,[ebp + arg_4]
seg000:004481F5 mov edx,[edi]
seg000:004481F7 push ebx
seg000:004481F8 push eax
seg000:004481F9 mov ecx,edi
seg000:004481FB call dword ptr [edx + 4Ch]
seg000:004481FE mov al,[edi + 9Ch]
seg000:00448204 or edx,0FFFFFFFFh
seg000:00448207 test al,al
seg000:00448209 mov [edi + 1Ch],edx
seg000:0044820C jz loc_4482A5
seg000:00448212 mov eax,0B1808224h
seg000 :00448217 mov ecx,0B2h
seg000:0044821C mov ebx,offset off_4AC700
seg000:00448221
seg000:00448221 loc_448221 :; CODE XREF:sub_4481D0 + 59j
seg000:00448221 xor eax,[ebx + ecx * 4-83A30h]
seg000:00448228 dec ecx
seg000:00448229 jnz short loc_448221
seg000: 0044822B mov dword ptr [eax + esi + 2C6A010h],1
seg000:00448236 mov [esi + 1BB98h],edx
seg000:0044823C mov edx,[edi]
seg000:0044823E mov ecx ,edi
seg000:00448240 call dword ptr [edx + 38h]
seg000:00448243 mov ecx,[esi + 5A3Ch]
seg000:00448249 mov eax,[ebp + arg_4]
seg000:0044824C cmp eax,8
seg000:0044824F mov [ecx + 27Fh],eax
seg000:00448255 mov edx,[esi + 878h]
seg000:0044825B mov dword ptr [edx + 230h],0
seg000:00448265 jz short loc_448299
seg000:00448267 mov [esi + 87Ch],eax
seg000:0044826D mov eax,[esi]
seg000:0044826F push 0FFFFFFFFh
seg000:00448271 mov ecx,esi
seg000:00448273 call dword ptr [eax + 0C0h]
seg000:00448279 mov ecx,[esi + 878h]
seg000:0044827F push 0FFFFFFFFh
seg000:00448281 push 0FFFFFFFFh
seg000:00448283 mov ebx,[ecx]
seg000:00448285 call _rand
seg000:0044828A mov ecx,[esi + 878h]
seg000:00448290 push eax
seg000:00448291 call dword ptr [ebx + 98h]
seg000:00448297 jmp short loc_4482AC
seg000:00448299; -------------------------------------------------- -------------------------
seg000:00448299
seg000:00448299 loc_448299:; CODE XREF:sub_4481D0 + 95j
seg000:00448299 mov dword ptr [esi + 1B654h],0FFFFFFFFh
seg000:004482A3 jmp short loc_4482AC
seg000:004482A5; -------------------------------------------------- -------------------------
seg000:004482A5
seg000:004482A5 loc_4482A5:; CODE XREF:sub_4481D0 + 3Cj
seg000:004482A5 mov dword ptr [edi + 4Ch],2
seg000:004482AC
seg000:004482AC loc_4482AC: CODE XREF:sub_4481D0 + C7j
seg000:004482AC; sub_4481D0 + D3j
seg000:004482AC mov al,[esi + 1BB74h]
seg000:004482B2 pop ebx
seg000:004482B3 test al,al
seg000:004482B5 jz short loc_4482D2
seg000:004482B7 mov eax,[edi + 5Ch]
seg000:004482BA mov ecx,[edi + 58h]
seg000:004482BD mov edx,[esi + 5A3Ch]
seg000:004482C3 push eax
seg000:004482C4 add edi,6Dh
seg000:004482C7 push ecx
seg000:004482C8 push edi
seg000:004482C9 call dword ptr [edx + 23A2h]
seg000:004482CF add esp,0Ch
seg000:004482D2
seg000:004482D2 loc_4482D2:; CODE XREF:sub_4481D0 + 1Cj
seg000:004482D2; sub_4481D0 + E5j
seg000:004482D2 pop edi
seg000:004482D3 pop esi
seg000:004482D4 pop ebp
seg000:004482D5 retn 8
seg000:004482D5 sub_4481D0 endp
seg000:004482D5
seg000:004482D5; -------------------------------------------------- -------------------------
这里是如何用hex-ray反编译
char __thiscall sub_4481D0(void * this,int a2,int a3)
{
char result; // al @ 1
int v4; // edi @ 1
void * v5; // esi @ 1
char v6; // al @ 2
signed int v7; // eax @ 3
signed int v8; // ecx @ 3
int v9; // ebx @ 6
int v10; // eax @ 6
v5 = this;
result =(*(int(__stdcall **)(int))(*(_ DWORD *)this + 212))(a2);
v4 = *((_ DWORD *)v5 + a2 + 28405);
if(v4)
{
(*(void(__thiscall **)(int,int))(*(_ DWORD *)v4 + 76)
v6 = *(_ BYTE *)(v4 + 156);
*(_ DWORD *)(v4 + 28)= -1;
if(v6)
{
v7 = -1316978140;
v8 = 178;
do
v7 ^ = off_4AC700 [v8-- - 134796];
while(v8);
*(_ DWORD *)(v5 + v7 + 46571536)= 1;
*((_ DWORD *)v5 + 28390)= -1;
(*(void(__thiscall **)(int))(*(_ DWORD *)v4 + 56))(v4);
*(_ DWORD *)(*((_ DWORD *)v5 + 5775)+ 639)= a3;
*(_ DWORD *)(*((_ DWORD *)v5 + 542)+ 560)= 0;
if(a3 == 8)
{
*((_ DWORD *)v5 + 28053)= -1;
}
else
{
*((_ DWORD *)v5 + 543)= a3;
(*(void(__thiscall **)(void *,signed int))(*(_ DWORD *)v5 + 192))(v5,-1)
v9 = **((_ DWORD **)v5 + 542);
v10 = rand();
(*(void __thiscall **)(_ DWORD,int,signed int,signed int))(v9 + 152))(*((_ DWORD *)v5 + 542),v10,-1,-1 );
}
}
else
{
*(_ DWORD *)(v4 + 76)= 2;
}
result = *((BYTE *)v5 + 113524);
if(result)
result =(*(int(__cdecl **)(int,_DWORD,_DWORD))(*((_ DWORD *)v5 + 5775)+ 9122) b v4 + 109,
*(_ DWORD *)(v4 + 88),
*(_ DWORD *)(v4 + 92)
}
return result;
}
我的问题是如何使用注入的dll调用它? >
00481D0断点
上的寄存器为
EAX = 004AC4E8
EBX = 00EEC774
ECX = 00EEC774
EDX = 00000000
ESI = 00EEC774
< >
EDI = 0012F040
EBP = 0012E744
p>
ESP = 0012E72C
EIP = 004481D0
这是我有..但它崩溃了我的目标。
static DWORD the_hook_address = 0x4481D0;
__asm
{
push ebp
mov ebp,esp
push ebx
PUSH 4 // a3
PUSH 4 // a2
CALL [the_hook_address]
// RETN 8 // 4 * 2 args
pop ebx
leave
ret
}
看起来你的asm例程期望ecx中的东西您需要在调用前将其初始化为有效的指针。
seg000:004481D0 ; =============== S U B R O U T I N E =======================================
seg000:004481D0
seg000:004481D0 ; Attributes: bp-based frame
seg000:004481D0
seg000:004481D0 sub_4481D0 proc near
seg000:004481D0
seg000:004481D0 arg_0 = dword ptr 8
seg000:004481D0 arg_4 = dword ptr 0Ch
seg000:004481D0
seg000:004481D0 push ebp
seg000:004481D1 mov ebp, esp
seg000:004481D3 push esi
seg000:004481D4 mov esi, ecx
seg000:004481D6 push edi
seg000:004481D7 mov edi, [ebp+arg_0]
seg000:004481DA mov eax, [esi]
seg000:004481DC push edi
seg000:004481DD call dword ptr [eax+0D4h]
seg000:004481E3 mov edi, [esi+edi*4+1BBD4h]
seg000:004481EA test edi, edi
seg000:004481EC jz loc_4482D2
seg000:004481F2 mov eax, [ebp+arg_4]
seg000:004481F5 mov edx, [edi]
seg000:004481F7 push ebx
seg000:004481F8 push eax
seg000:004481F9 mov ecx, edi
seg000:004481FB call dword ptr [edx+4Ch]
seg000:004481FE mov al, [edi+9Ch]
seg000:00448204 or edx, 0FFFFFFFFh
seg000:00448207 test al, al
seg000:00448209 mov [edi+1Ch], edx
seg000:0044820C jz loc_4482A5
seg000:00448212 mov eax, 0B1808224h
seg000:00448217 mov ecx, 0B2h
seg000:0044821C mov ebx, offset off_4AC700
seg000:00448221
seg000:00448221 loc_448221: ; CODE XREF: sub_4481D0+59j
seg000:00448221 xor eax, [ebx+ecx*4-83A30h]
seg000:00448228 dec ecx
seg000:00448229 jnz short loc_448221
seg000:0044822B mov dword ptr [eax+esi+2C6A010h], 1
seg000:00448236 mov [esi+1BB98h], edx
seg000:0044823C mov edx, [edi]
seg000:0044823E mov ecx, edi
seg000:00448240 call dword ptr [edx+38h]
seg000:00448243 mov ecx, [esi+5A3Ch]
seg000:00448249 mov eax, [ebp+arg_4]
seg000:0044824C cmp eax, 8
seg000:0044824F mov [ecx+27Fh], eax
seg000:00448255 mov edx, [esi+878h]
seg000:0044825B mov dword ptr [edx+230h], 0
seg000:00448265 jz short loc_448299
seg000:00448267 mov [esi+87Ch], eax
seg000:0044826D mov eax, [esi]
seg000:0044826F push 0FFFFFFFFh
seg000:00448271 mov ecx, esi
seg000:00448273 call dword ptr [eax+0C0h]
seg000:00448279 mov ecx, [esi+878h]
seg000:0044827F push 0FFFFFFFFh
seg000:00448281 push 0FFFFFFFFh
seg000:00448283 mov ebx, [ecx]
seg000:00448285 call _rand
seg000:0044828A mov ecx, [esi+878h]
seg000:00448290 push eax
seg000:00448291 call dword ptr [ebx+98h]
seg000:00448297 jmp short loc_4482AC
seg000:00448299 ; ---------------------------------------------------------------------------
seg000:00448299
seg000:00448299 loc_448299: ; CODE XREF: sub_4481D0+95j
seg000:00448299 mov dword ptr [esi+1B654h], 0FFFFFFFFh
seg000:004482A3 jmp short loc_4482AC
seg000:004482A5 ; ---------------------------------------------------------------------------
seg000:004482A5
seg000:004482A5 loc_4482A5: ; CODE XREF: sub_4481D0+3Cj
seg000:004482A5 mov dword ptr [edi+4Ch], 2
seg000:004482AC
seg000:004482AC loc_4482AC: ; CODE XREF: sub_4481D0+C7j
seg000:004482AC ; sub_4481D0+D3j
seg000:004482AC mov al, [esi+1BB74h]
seg000:004482B2 pop ebx
seg000:004482B3 test al, al
seg000:004482B5 jz short loc_4482D2
seg000:004482B7 mov eax, [edi+5Ch]
seg000:004482BA mov ecx, [edi+58h]
seg000:004482BD mov edx, [esi+5A3Ch]
seg000:004482C3 push eax
seg000:004482C4 add edi, 6Dh
seg000:004482C7 push ecx
seg000:004482C8 push edi
seg000:004482C9 call dword ptr [edx+23A2h]
seg000:004482CF add esp, 0Ch
seg000:004482D2
seg000:004482D2 loc_4482D2: ; CODE XREF: sub_4481D0+1Cj
seg000:004482D2 ; sub_4481D0+E5j
seg000:004482D2 pop edi
seg000:004482D3 pop esi
seg000:004482D4 pop ebp
seg000:004482D5 retn 8
seg000:004482D5 sub_4481D0 endp
seg000:004482D5
seg000:004482D5 ; ---------------------------------------------------------------------------
Here it is how it's decompiled with hex-rays
char __thiscall sub_4481D0(void *this, int a2, int a3)
{
char result; // al@1
int v4; // edi@1
void *v5; // esi@1
char v6; // al@2
signed int v7; // eax@3
signed int v8; // ecx@3
int v9; // ebx@6
int v10; // eax@6
v5 = this;
result = (*(int (__stdcall **)(int))(*(_DWORD *)this + 212))(a2);
v4 = *((_DWORD *)v5 + a2 + 28405);
if ( v4 )
{
(*(void (__thiscall **)(int, int))(*(_DWORD *)v4 + 76))(v4, a3);
v6 = *(_BYTE *)(v4 + 156);
*(_DWORD *)(v4 + 28) = -1;
if ( v6 )
{
v7 = -1316978140;
v8 = 178;
do
v7 ^= off_4AC700[v8-- - 134796];
while ( v8 );
*(_DWORD *)(v5 + v7 + 46571536) = 1;
*((_DWORD *)v5 + 28390) = -1;
(*(void (__thiscall **)(int))(*(_DWORD *)v4 + 56))(v4);
*(_DWORD *)(*((_DWORD *)v5 + 5775) + 639) = a3;
*(_DWORD *)(*((_DWORD *)v5 + 542) + 560) = 0;
if ( a3 == 8 )
{
*((_DWORD *)v5 + 28053) = -1;
}
else
{
*((_DWORD *)v5 + 543) = a3;
(*(void (__thiscall **)(void *, signed int))(*(_DWORD *)v5 + 192))(v5, -1);
v9 = **((_DWORD **)v5 + 542);
v10 = rand();
(*(void (__thiscall **)(_DWORD, int, signed int, signed int))(v9 + 152))(*((_DWORD *)v5 + 542), v10, -1, -1);
}
}
else
{
*(_DWORD *)(v4 + 76) = 2;
}
result = *((_BYTE *)v5 + 113524);
if ( result )
result = (*(int (__cdecl **)(int, _DWORD, _DWORD))(*((_DWORD *)v5 + 5775) + 9122))(
v4 + 109,
*(_DWORD *)(v4 + 88),
*(_DWORD *)(v4 + 92));
}
return result;
}
My question is how do I call it using a injected dll?
The registers at 00481D0 breakpoint
are
EAX = 004AC4E8
EBX = 00EEC774
ECX = 00EEC774
EDX = 00000000
ESI = 00EEC774
EDI = 0012F040
EBP = 0012E744
ESP = 0012E72C
EIP = 004481D0
This is what I have.. but it crashes my target.
static DWORD the_hook_address = 0x4481D0;
__asm
{
push ebp
mov ebp, esp
push ebx
PUSH 4//a3
PUSH 4//a2
CALL [the_hook_address]
//RETN 8 //4 * 2 args
pop ebx
leave
ret
}
Looks like your asm routine expects something (this?) in ecx. You need to initialize that to a valid pointer before the call.
这篇关于如何在C ++中内联ASM中调用此汇编函数(DLL Injection)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!